Wireless or keyless access is becoming more prevalent, and is supplementing or replacing traditional key-based methods of access. Wireless access allows a user to wirelessly unlock, access, activate, control, use, or operate different secured resources with minimal or no interaction by the user. Some examples of secured resources that may accessed without keys and with minimal or no interaction by the user include vehicles, points of entry (e.g., doors, gates, turnstiles, elevators, and/or other physical barriers), security systems, lighting systems, climate control systems, and/or other remote keyless systems and devices. For example, a user may unlock a vehicle and turn on the vehicle by the user simply moving an access device, that remains in the user's pocket, in range of the vehicle.
Security is a concern for any wireless or keyless access methodology or system. Relay attacks are one such security risk. A successfully executed relay attack allows an attacker to unlock, access, or operate a secured resource by simply extending the signaling between an authorized user's access device and the secured resource.
FIG. 1 illustrates an example of a successful relay attack. Secured resource 110 may emit (at 1) a short-range radio signal. First attacker 120 may position a first relay attack device next to secured resource 110. The first relay attack device may receive (at 1) signaling from secured resource 110, and may transmit (at 2) the signaling unchanged over a wireless network to a second relay attack device of second attacker 130.
Second attacker 130 may position the second relay attack device adjacent to an access device of authorized user 140. The access device may be used to unlock, access, or operate secured resource 110 when the access device is placed next to secured resource 110 (e.g., within a few inches or few feet of secured resource 110).
In this figure, the access device, that is carried by authorized user 140, is too far away from secured resource 110 for the access device to have any effect. However, the second relay attack device of second attacker 130 is brought in range of the authorized user's 140 access device, and the second relay attack device emits (at 3) the signaling of secured resource 110 that is captured and replayed by the first relay attack device of first attacker 120.
The access device detects the signaling of secured resource 110 as a result of the signaling being replayed over a long distance by the first and second relay attack devices of first attack 120 and second attacker 130. The access device has no means of distinguishing between the signaling originating from secured resource 110 or from a relay attack device of an attacker. Consequently, the access device operates as if it was physically next to secured resource 110 and receiving the signaling directly from secured resource 110. In particular, the access device may provide (at 4) signaling that include access credentials and/or other data for requesting and/or authorizing access to secured resource 110.
The second relay attack device of second attacker 130 may capture (at 4) the signaling provided by the access device, and may transmit (at 5) the signaling from the access device to the first relay attack device of first attacker 120. The first relay attack device of first attacker 120 may then replay (at 7) the access device signaling for secured resource 110, tricking secured resource 110 into detecting that the access device of authorized user 140 is physically next to secured resource 110, that the access device is originating the signaling with the access credentials, and/or that secured resource 110 is exchanging radio signaling directly with the access device of authorized user 140. In other words, the relay attack devices of attackers 120 and 130 bridge the distance between the access device and secured resource 110 that normally prevents the devices from communicating with one another by simply transferring the unmodified signaling over a long-range network connection and replaying the signaling at either end of the connection.
In response to the signaling, that is originated by the access device of authorized user 140 and that is replayed from the first relay attack device of first attacker 120, secured resource 110 may open, unlock, grant, or otherwise provide (at 8) access. First attacker 120 may then access, use, or operate secured resource 110 without breaking into secured resource 110 or physically stealing the access device from authorized user 140.
It should be noted that the relay attack would be carried out in a similar manner if the initial signaling is emitted from the access device instead of secured resource 110. In this case, the second relay attack device of second attacker 130 would be used to pass the initial signaling to the first relay attack device of first attacker 120, and the initial signaling may be used to initiate or complete the access procedure with secured resource 110.